Computer Worm Wreaks Havoc

NEW YORK – The latest virus-like attack on the Internet exposes more than a software flaw: The very strategy that managers of computer networks typically adopt for security has proven inadequate.

As network technicians worked Sunday to complete repairs to damage caused by Saturday's fast-spreading worm, government and private security experts worried that too many security managers are only fixing problems as they occur, rather than keeping their defenses up to date.

Security experts said Sunday that the problem was largely under control, though some worried that lingering infections could appear when businesses reopen Monday.

The FBI said Sunday that the attack's origin was still unknown.

The worm that crippled tens of thousands of computers worldwide and congested the network for countless others, even disabling Bank of America cash machines, took advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July.

Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 software -- used mostly by businesses and governments -- but many system administrators had yet to install them.

"There was a lot that could have been done between July and now," said Howard A. Schmidt, President Bush's No. 2 cybersecurity adviser. "We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up-to-date."

As the worm infected one computer, it was programmed to seek other victims by sending out thousands of probes a second, saturating many Internet data pipelines.

Unlike most viruses and worms, it spread directly through network connections and did not need e-mail as a carrier. Thus, only network administrators who run the servers, not end users, could do anything to remedy the situation.

According to Keynote Systems Inc., which measures Internet reliability and speed, network congestion increased download times at the largest U.S. Web sites by an average of 50 percent, and some sites were completely unavailable at times Saturday.

Bruce Schneier, chief technology officer at Counterpane Internet Security, said the attack proves that relying on patches is flawed "not because it's not effective, but many don't do it."

Two of the previous major outbreaks, Code Red and Nimda, also exploited known problems for which patches were available.

But with more than 4,000 new vulnerabilities reported last year, according to the government-funded CERT Coordination Center at Carnegie Mellon University, system administrators can have trouble keeping up.

Patches also take time to install and could disrupt other systems and applications. Schmidt said many network managers delay installing patches to fully test them first.

Microsoft spokesman Rick Miller said the company is working with network professionals to develop better tools, including ones to automatically scan systems for known vulnerabilities.

A larger problem is inadequate information on which patches need to be tested and installed first, said Dan Ingevaldson at the Internet Security Systems' X-Force research arm.

Preventing the next outbreak, security experts say, will mean rethinking security. Favored approaches range from getting vendors to make better software to paying private companies more money to handle the brunt of the work.

Microsoft executives have said they want to make security updates automatic so users could grant permission once and have multiple patches installed over the Internet whenever needed. Network managers, however, worry that such automation could inadvertently introduce problems for other applications.

George Kurtz, chief executive of security company Foundstone Inc., said antivirus and firewall products are no longer enough.

"Security is a journey, not a destination," he said. "It needs continuous care and feeding like a child."